Identity-Aware Proxy

Use identity and context to sign in to
apps and VMs

Identity-Aware Proxy (IAP) can help you control access to
your cloud and on-prem applications and VMs running on Google
Cloud Platform (GCP). IAP works by verifying user identity and
context of the request to determine if a user should be
allowed to access an application or a VM. IAP is a building
block toward zero trust access, an enterprise security model
that enables every employee to work from untrusted networks
without the use of a VPN (e.g. Google's
BeyondCorp
implementation).

Simpler for cloud admins

Add secure web access to an application in less time than it
takes to implement a VPN. Let your developers focus on their
application logic, while IAP takes care of authentication and
authorization. Only authenticated users are granted access to
the application.

Simpler for remote workers

End users point their web browser to an internet-accessible URL
to access IAP-secured applications. No VPN client is required.

Context-aware access

Administrators can create granular access control policies for
applications hosted on GCP, other clouds, and on-premises based
on attributes like user identity, device security status, and IP
address. IAP is a key component in Google Cloud’s
context-aware access
solution.

Secure access administration

Configure a single layer of security to manage user access to
cloud applications. Administrators can improve security with
Security Key Enforcement
to prevent phishing.

Features

Controls access without VPN

Manage access to your apps and VMs based on a user’s
identity and context of the request (e.g. device status,
location) without VPN. Powered by Google Cloud’s
context-aware access.

Saves admin time

Faster to deploy than a VPN. Once deployed, IAP provides a
single point of control for managing user access to web
applications.

Works with cloud and on-premises apps

IAP can protect access to applications hosted on GCP, other
clouds, and on-premises.

Saves end user time

Faster to sign into than a VPN. No VPN client login.

Deploys in minutes

Let your developers focus on their application logic, while
IAP takes care of authentication and authorization.

Protects your apps and VMs

With the new
TCP forwarding
feature, IAP can now protect SSH and RDP access to your VMs
hosted on GCP. Your VM instances don't even need public IP
addresses.

Context-aware
access

Next ’19: How
Airbnb secured access to their cloud with context-aware access

VM access
protection

Pricing

There is no charge for using IAP. However, when used with
Compute Engine, the required load balancing and firewall
configuration may incur additional costs. Read more about load
balancing and protocol forwarding pricing in
the Compute Engine pricing guide.

Take the next step

Get $300 in free credits to
learn and build on Google Cloud for up to 12 months.